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Abstract 

It  is  proved  that  any  protocol  that  constructs  a  reliable  data  link  service  using  a  physical 
channel  service  necessarily  includes  in  the  packets  some  header  information  that  enables  the 
protocol  to  treat  different  packets  differently.  The  physical  channel  considered  is  permitted  to 
lose,  but  not  reorder  or  duplicate  packets.  The  formal  framework  used  for  the  proof  is  the  I/O 
automaton  model. 
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1  Introduction 

Formal  models  of  concurrent  programming  have  been  advanced  as  a  suitable  foundation  for  pro¬ 
viding  rigorous  verification  of  protocols  against  specifications.  A  very  different  use  is  to  give  proofs 
of  impossibility  results:  showing  that  no  protocol  can  possibly  solve  a  particular  problem.  The 
features  of  a  formal  model  that  are  necessary  to  support  impossibility  proofs  are  not  necessarily 
the  same  as  those  that  make  verification  easy.  A  discussion  of  these  features  can  be  found  in  [11]. 
In  this  paper,  we  use  the  I/O  automaton  formal  model  (see  [10]  for  a  general  exposition  of  the 
model)  to  provide  a  proof  that  any  protocol  that  provides  a  data  link  service  by  using  a  physical 
channel  service,  necessarily  includes  in  the  packets  some  header  information  that  enables  the  pro¬ 
tocol  to  treat  different  packets  differently.  The  interest  of  this  work,  we  believe,  is  not  so  much  in 
the  result  (no  one  ever  suggested  using  a  protocol  without  header  information)  but  rather  in  the 
way  this  formal  model  (which  has  proved  successful  in  verifying  quite  complicated  protocols,  as  in 
[9,  15,  3,  4,  6, 14])  can  be  used  to  show  the  nonexistence  of  protocols  with  certain  properties. 

The  authors  were  supported  in  part  by  the  National  Science  Foundation  under  grant  CCR-86-11442,  by  the  Office 
of  Naval  Research  under  contract  N00014-85-K-0168  and  by  the  Defense  Advanced  Research  Projects  Agency  under 
contracts  N00014-83-K-0125  and  N00014-89-J-1988. 
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There  has  recently  been  a  lot  of  research  in  the  distributed  computing  theory  research  commu¬ 
nity  into  the  possibility  of  constructing  a  reliable  message  transmission  service  using  an  underlying 
unreliable  packet  transmission  service  (see  [8,  1,  16,  12],  for  example).  Most  of  this  work  has 
addressed  the  case  where  the  physical  channel  is  especially  unreliable,  in  that  it  can  lose  packets 
and  also  deliver  packets  out  of  order.  In  these  cases  the  natural  protocol,  due  to  Stenning  ([13]) 
places  each  message  into  a  packet  with  a  sequence  number  as  header,  and  repeatedly  sends  the 
packet  until  its  receipt  has  been  acknowledged.  The  difficulty  with  this  protocol  is  that  the  se¬ 
quence  numbers  increase  without  bound,  and  the  papers  mentioned  above  explore  the  possibility  of 
using  a  fixed  size  header.  By  contrast,  in  this  paper  we  consider  using  a  FIFO  (but  possibly  lossy) 
physical  channel.  There  are  many  protocols  known  for  this  situation,  most  being  variants  on  the 
Alternating  Bit  protocol  [2],  in  which  packets  and  acknowledgments  contain  a  single  bit  header. 
We  show  that  this  header  is  needed,  in  that  there  is  no  protocol  that  solves  the  same  problem 
without  using  some  header  to  distinguish  between  packets.  A  key  modeling  issue  is  how  to  measure 
the  existence  of  a  header  in  an  arbitrary  protocol,  without  assuming  a  particular  structure  (such  as 
[sequence-number, message])  for  the  packets.  The  definitions  we  use  are  adapted  (and  simplified) 
from  those  in  [8,  5]. 

In  Sections  2-4,  we  show  how  we  model  the  different  service  specifications  and  the  construction 
of  an  arbitrary  protocol  to  provide  a  data  link  service  using  two  physical  channels.  In  Section  5  we 
define  the  specific  physical  channels  we  will  use  in  the  main  result.  In  Section  6  we  prove  a  result 
that  includes  much  of  what  we  want,  while  avoiding  the  more  subtle  modeling  issues:  we  show 
the  impossibility  of  implementing  a  data  link  service  using  identical  packets  in  each  direction.  In 
Section  7  we  discuss  how  to  define  the  headers  used  by  an  arbitrary  protocol,  and  finally  we  present 
the  impossibility  result.  A  summary  of  the  I/O  Automaton  model  is  given  in  the  Appendices. 

2  The  Physical  Layer 

The  physical  layer  is  the  lowest  layer  in  the  OSI  Reference  Model  hierarchy,  and  is  implemented 
directly  in  terms  of  the  physical  transmission  media.  A  standard  interface  to  the  physical  layer 
permits  implementation  of  the  higher  layers  independently  of  the  transmission  media. 

In  a  typical  setting,  a  physical  layer  interacts  with  higher  layers  at  two  endpoints,  a  “transmit¬ 
ting  station”  and  a  “receiving  station” .  The  physical  layer  receives  messages  called  “packets”  from 
the  higher  layer  at  the  transmitting  station,  and  delivers  some  of  the  packets  to  the  higher  layer  at 
the  receiving  station.  The  physical  layer  can  lose  packets.  While  it  is  also  possible  for  packets  to 
be  corrupted  by  the  transmission  medium,  we  assume  th .  .  a  physical  layer  masks  such  corrupted 
packets  using  error-detecting  codes.  Thus,  the  only  fault;.  V'  avior  we  consider  is  loss  of  packets. 

In  this  section,  we  give  a  specification  for  physical  layc.  behavior;  in  particular,  we  specify  a 
channel  that  ensures  FIFO  delivery  of  packets.  It  is  convenient  to  parameterize  the  specification  by 
an  ordered  pair  (t,  r)  of  names  for  the  transmitting  and  receiving  stations,  and  by  an  alphabet  P 
of  legal  packets.  The  specification  will  be  given  by  a  schedule  module,  denoted  by  PL  -  FIFOt,T,p. 

PL  -  FIFOt'r’p  has  the  action  signature  illustrated  in  Figure  1  and  given  formally  as  follows. 

Input  actions: 

send-pktt’T(p),  p  €  P 
Output  actions: 


There  are  no  internal  actions.  The  sendjpkt**(p )  action  represents  the  sending  of  packet  p  on 
the  physical  channel  by  the  transmitting  station,  and  the  receivejpkt** (p)  represents  the  receipt  of 
packet  p  by  the  receiving  station.  We  will  refer  to  the  actions  in  acts(PL  -  FIFO**’p )  as  physical 
layer  actions  (for  (t,r)  and  P). 

In  order  to  define  the  sets  of  schedules  for  the  schedule  module  scheds(PL  —  FIFO**,p),  we 
define  first  a  collection  of  properties,  reflecting  the  operation  of  a  “good”  physical  channel.  The 
properties  are  defined  with  respect  to  /?  =  iriff2  •  •  •  a  (finite  or  infinite)  sequence  of  physical  layer 
actions,  and  a  correspondence  relation ,  a  binary  relation  between  the  send.pkt**  events  and  the 
receivejpkt**  events  in  (3.  The  correspondence  relation  is  intended  to  model  the  association  that 
can  be  set  up  between  the  event  modeling  the  sending  of  a  packet,  and  the  event  modeling  the 
receipt  of  the  same  packet.  Complications  are  caused  by  the  fact  that  the  same  data  might  be  sent 
repeatedly,  and  so  the  sending  of  two  such  identical  packets  is  modeled  by  two  occurrences  of  the 
same  action  send^pkt**(p). 

(PL1)  1.  If  an  event  7r,-  =  receivejpkt**  {p)  corresponds  to  an  event  ir j  —  send_pktl*(q),  then 

p  =  q,  and  also  j  <  t,  that  is,  the  event  i r;-  precedes  7Tj  in  /?. 

2.  Each  receivejpkt** (p)  event  corresponds  to  exactly  one  sendjpkt**{p)  event. 

3.  Each  sendjpkt** (p)  event  corresponds  to  at  most  one  receivejpkt **{p)  event. 

Thus,  when  (PL1)  is  satisfied,  any  receivejpkt** (p)  in  (3  will  have  a  corresponding  scnd-pkt** 
event. 

The  next  property  we  define  is  the  FIFO  property.  It  says  that  those  packets  that  are  delivered 
have  their  receivejpkt  events  occurring  in  the  same  order  as  their  send.pkt  events.  Note  that  (PL2) 
may  be  true  even  if  a  packet  is  delivered  and  some  packet  sent  earlier  is  not  delivered;  there  can  be 
gaps  in  the  sequence  of  delivered  packets  representing  lost  packets. 

(PL2)  (FIFO)  Suppose  that  the  event  ir ,•  =  send-pktt,r(p)  in  (3  corresponds  to  the  event  ~ 
receivejpkt** (p),  and  jt*  =  sendjpkt**{pf )  corresponds  to  tt/  =  receivejpkt** (p1).  Then  i  <  k 
if  and  only  if  j  <  l. 
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So  far,  the  properties  listed  have  been  safety  properties,  that  is,  when  they  hold  for  a  sequence 
they  also  hold  for  any  prefix  of  that  sequence.  The  final  property  is  a  liveness  property.  It  says 
that  if  repeated  send  events  occur,  then  eventually  some  packet  is  delivered. 

(PL3)  If  infinitely  many  send.pktt<r  actions  occur  in  /?,  then  infinitely  many  receive jpktl'r  actions 
occur  in  (3. 

Now  we  define  the  schedule  module  PL-FIF(f,T,p .  We  have  already  defined  sig(PL-FIF(?,T,p). 
Let  scheds{PL-FIFCf,r'p )  be  the  set  of  sequences  (3  of  physical  layer  actions  for  which  there  exists 
a  correspondence  such  that  (PL1),  the  FIFO  condition  (PL2),  and  (PL3),  are  all  satisfied  for  (3 
and  that  correspondence.  A  FIFO  physical  channel  from  t  to  r  is  any  I/O  automaton  that  solves 
PL-FIFO'T'p. 

In  a  “real-world”  implementation  of  a  physical  channel  using  a  physical  transmission  medium, 
(PL3)  would  not  be  guaranteed  with  absolutely  certainty,  but  rather  with  extremely  high  probabil¬ 
ity.  In  practice,  this  probability  is  usually  sufficiently  high  to  justify  our  decision  to  ignore  in  the 
formal  model  the  small  likelihood  that  no  packets  ever  get  delivered  on  an  active  channel,  just  as 
we  have  neglected  the  small  probability  of  “real-world”  channels  corrupting  a  packet  undetectably. 

3  The  Data  Link  Layer 

The  data  link  layer  is  the  second  lowest  layer  in  the  hierarchy,  and  is  implemented  using  the  services 
of  the  physical  layer.  Generally,  it  is  implemented  in  terms  of  two  physical  channels,  one  in  each 
direction.  It  provides  a  reliable  one-hop  message  delivery  service,  which  can  in  turn  be  used  by  the 
next  higher  layer. 

We  again  assume  that  there  are  two  endpoints,  a  “transmitting  station”  and  a  “receiving  sta¬ 
tion”.  The  data  link  layer  receives  messages  from  the  higher  layer  at  the  transmitting  station,  and 
delivers  them  at  the  receiving  station.  The  data  link  layer  guarantees  that  every  message  that  is 
sent  is  eventually  received.  Furthermore,  the  order  of  the  messages  is  preserved. 

In  this  section,  we  give  a  specification  for  data  link  layer  behavior,  as  a  parameterized  schedule 
module  DLt,r,M,  where  M  is  an  alphabet  of  legal  messages.  The  development  is  very  similar  to 
that  for  the  physical  layer;  in  fact,  the  only  significant  difference  is  between  the  liveness  conditions 
(DL3)  and  (PL3).  The  action  signature  $ig(DLt’r,M)  is  illustrated  in  Figure  2,  and  is  given  formally 
as  follows. 

Input  actions: 

send_mspt,r(m),  m  e  M 
Output  actions: 

receive-msgt'T(m),  m  €  M 


There  are  no  internal  actions.  The  send-msgt,r(m)  action  represents  the  sending  of  message  m 
on  the  data  link  by  the  transmitting  station,  and  the  receive.msgt,r(m )  represents  the  receipt  of 
message  m  by  the  receiving  station.  We  will  refer  to  the  actions  in  acts(DL*'r'M )  as  data  link  layer 
actions. 
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Figure  2:  The  Data  Link  Layer 

In  order  to  define  the  set  scheds(DLt,T'M)i  we  again  define  a  collection  of  auxiliary  properties. 
They  are  defined  for  a  sequence  0  =  XiX2  •  •  •  of  data  link  layer  actions  and  a  correspondence 
relationship,  a  binary  relation  between  the  send^magt<r  events  and  the  receivejmsgt,r  events  in  0. 
The  first  property  is  analogous  to  (PL1)  and  gives  elementary  requirements  on  the  correspondence. 

(DL1)  1.  If  an  event  Xj  =  receivejmsgt'T(m)  corresponds  to  an  event  Xj  =  send~msgt’T(n),  then 

m  =  n,  and  also  j  <  i,  that  is,  the  event  irj  precedes  x,-  in  0. 

2.  Each  receivejmsgt<T(m)  event  corresponds  to  exactly  one  sendjmsgt'T{m)  event. 

3.  Each  send.msgt<r(m)  event  corresponds  to  at  most  one  receive_msgt<r(m)  event. 

The  next  property  is  the  FIFO  property;  it  guarantees  that  the  messages  sent  are  received  in 
the  same  order. 

(DL2)  (FIFO)  Suppose  that  the  event  7r<  =  sendjmsgt'T{m)  in  0  corresponds  to 
7Tj  =  receivejmsgt,r(m),  and  i r*  =  send_msgt'r(ml)  corresponds  to  x/  =  receivejmsgt,T(m'). 
Then  i  <  k  if  and  only  if  j  <  l. 

Finally,  we  have  the  data  link  layer  liveness  property.  It  says  that  all  messages  that  are  sent 
are  eventually  delivered.  This  property  expresses  the  reliability  of  the  message  delivery  guaranteed 
by  the  data  link  layer. 

(DL3)  If  x  is  a  send.msgt,r{m)  event  occurring  in  0 ,  then  there  is  a  receivejmsgt,T(m )  event  in 
0  corresponding  to  x. 

Note  that  in  combination  with  (DL1),  (DL3)  implies  that  there  is  exactly  one  receive-msgt,T(m ) 
event  corresponding  to  each  send-msgt,r(m)  event.  Now  we  can  define  the  schedule  module  DLt,r,M. 
We  have  already  defined  sig(DLt,r,M).  Let  scheds(DLt'r<M)  be  the  set  of  sequences  0  of  data  link 
layer  actions  for  which  there  exists  a  correspondence  relation  such  that  (DL1),  (DL2),  and  (DL3) 
are  all  satisfied  for  0  and  the  correspondence  relation. 

Although  the  schedule  module  DLt,r,M  represents  the  behavior  one  would  require  from  an  inter¬ 
esting  data  link  layer,  it  is  useful  for  us  to  define  another  schedule  module  WDV'r'M  representing 
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weaker  requirements  on  data  link  behavior,  in  which  the  layer  is  required  to  eventually  deliver  each 
message  that,  is  sent,  but  not  necessarily  in  FIFO  order.  Thus,  let  sig(W  DLt'T,M)  =  sig(DLt,T’M ), 
and  let  scheds(WDLt,r,M)  be  the  set  of  sequences  /?  of  data  link  layer  actions  for  which  there  exists 
a  correspondence  relation  such  that  (DL1)  and  (DL3)  are  satisfied  for  (3  and  the  correspondence. 

Although  this  weaker  specification  is  less  interesting  than  DLt>r'M  for  describing  properties  of 
a  useful  data  link  layer,  it  is  adequate  for  proving  our  impossibility  result.  It  is  easy  to  see  that 
WDLt,T,M  is  a  weaker  specification  than  DLt,T,M ,  i.e.,  that  scheds(DLt,T,M)  C  sch  j.s(W DLt’r,M). 
Thus,  any  automaton  that  solves  DLt,r,M  also  solves  scheds(WDLt,r'M ),  so  that  the  impossibility 
results  we  obtain  for  solving  WDLt<T<M  immediately  imply  corresponding  impossibility  results  for 
solving  DLl'T'M. 

We  have  the  following  immediate  consequence  of  the  definition: 

Lemma  3.1  If  ft  is  in  scheds(W  DLt,r,M)  then  the  number  of  send jmsgt'T  events  in  (3  is  equal  to 
the  number  of  receivejrnsgt,T  events  in  (3. 

4  Data  Link  Implementation 

In  this  section,  we  define  a  “data  link  protocol”,  which  is  intended  to  be  used  to  implement  the 
data  link  layer  using  the  services  provided  by  the  physical  layer.  A  data  link  protocol  consists 
of  two  automata,  one  at  the  transmitting  station  and  one  at  the  receiving  station.  These  au¬ 
tomata  communicate  with  each  other  using  two  physical  channels,  one  in  each  direction.  They  also 
communicate  with  the  outside  world,  through  the  data  link  layer  actions  we  defined  in  Section  3. 

Figure  3  shows  how  two  protocol  automata  and  two  physical  channels  should  be  connected,  in 
a  data  link  implementation. 

4.1  Data  Link  Protocols 

Let  t  and  r  again  be  names  (for  the  transmitting  and  receiving  station  respectively).  Let  M,  Pi 
and  Pi  be  alphabets  (of  messages,  forward  packets  and  backwards  packets,  respectively).  Then 
a  transmitting  automaton  for  (t, r)  and  (M,Pi,Pi)  is  any  I/O  automaton  having  the  following 
external  action  signature. 

Input  actions: 

sendjmsgt'T{m ),  m  €  M 
receive.pktT,t(p),  p  £  Pi 
Output  actions: 

send-pktt'r(p ),  p  £  Pi 


In  addition,  there  can  be  any  number  of  internal  actions.  That  is,  a  transmitting  automaton  receives 
requests  from  the  environment  of  the  data  link  layer  to  send  messages  to  the  receiving  station  r.  It 
sends  packets  to  r  over  the  physical  channel  to  r.  It  also  receives  packets  over  the  physical  channel 
from  r. 

Similarly,  a  receiving  automaton  for  (t,r)  and  (M, Pi,P2)  is  any  I/O  automaton  having  the 
following  external  signature. 
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DATA  LINK  LAYER 


Figure  3:  A  Data  Link  Implementation 

Input  actions: 

receive_pkti'r(p),  p  €  P1 
Output  actions: 

sendjpktT't(p),  p  £  P2 
receivejmsgt,T(m),  m  €  M 

Again,  there  can  also  be  any  number  of  internal  actions.  That  is,  a  receiving  automaton  receives 
packets  over  the  physical  channel  from  t.  It  sends  packets  to  t  over  the  physical  channel  to  t,  and 
it  delivers  messages  to  the  environment  of  the  data  link  layer. 

A  data  link  protocol  for  (t,r)  and  (M,  Pi,  P2)  is  a  pair  {Ai,Ar),  where  A *  is  a  transmitting 
automaton  for  (t,  r)  and  (Af,  Pi,^),  and  AT  is  a  receiving  automaton  for  (t,  r)  and  (M,  P\,  P2). 
(Often  we  will  omit  mention  of  the  station  names  and  the  alphabets,  if  these  are  clear  from  context.) 

4.2  Correctness  of  Data  Link  Protocols 

Now  we  are  ready  to  define  correctness  of  data  link  protocols.  Informally,  we  say  that  a  data 
link  protocol  is  “correct”  provided  that  when  it  is  composed  with  any  “correct  physical  layer” 
(i.e.  a  pair  of  FIFO  physical  channels  from  t  to  r  and  from  r  to  t,  respectively),  the  resulting 
system  yields  correct  data  link  layer  behavior.  This  reflects  the  fundamental  idea  of  layering,  that 
the  implementation  of  one  layer  should  not  depend  on  the  details  of  the  implementation  of  other 
layers,  so  that  each  layer  can  be  implemented  and  maintained  independently.  Formally,  suppose 
(A*,  AT)  is  a  data  link  protocol  for  (t,r)  and  (M,  Pi,P2).  We  say  that  (At,AT)  is  correct  provided 


that  the  following  is  true.  For  all  C\  and  C2  such  that  C\  is  a  FIFO  physical  channel  from  t  to 
r  with  alphabet  Pi,  and  C2  is  a  FIFO  physical  channel  from  r  to  t  with  alphabet  P2,  hide$(D) 
solves  DLl’T’M,  where  D  is  the  composition  of  A1,  Ar,  C\  and  C2,  and  $  is  the  subset  of  acts(Z?) 
consisting  of  sendjpkt  and  receivejpkt  actions. 

As  mentioned  earlier,  our  impossibility  results  can  be  proved  for  weaker  data  link  requirements. 
Thus  we  also  define  weak  correctness  for  data  link  protocols.  This  is  defined  exactly  as  for  cor¬ 
rectness,  except  that  hideq,(D)  is  required  to  solve  WDLt’r'M  instead  of  DLl'r'M .  Obviously,  any 
correct  data  link  protocol  is  also  weakly  correct. 

Note  that  the  definition  of  “solves”  upon  which  these  correctness  definitions  are  based  appears 
in  Appendix  A.4.  Examination  of  that  definition  shows  that  these  correctness  definitions  require 
that  the  fair  behaviors  of  hide$(D)  are  all  among  the  schedules  of  the  schedule  module  DLt'T'M  or 

WDV’t'm. 

5  Permissive  Physical  Channels 

Since  the  correctness  of  a  data  link  protocol  requires  that  it  work  when  composed  with  any  FIFO 
physical  channels  with  appropriate  alphabets,  we  are  able  to  prove  the  impossibility  of  a  correct 
protocol  satisfying  certain  requirements  by  merely  demonstrating  that  no  such  protocol  works  when 
combined  with  a  specific  pair  of  FIFO  physical  channels.  In  this  section  we  introduce  the  channels 
we  will  use. 

5.1  Definitions 

We  define  a  physical  channel  that  is  parameterized  by  end  stations  t  and  r  and  a  packet  alphabet  P. 
It  can  be  considered  to  be  a  “very  permissive”  physical  channel.  In  fact,  it  can  even  be  considered 
to  be  a  “universal  FIFO  physical  channel”,  in  the  sense  of  Lemma  5.2  below. 

First,  we  define  a  set  S  of  ordered  pairs  (t,  j)  of  positive  integers  to  be  a  delivery  set  provided 
that  it  satisfies  the  following  two  conditions:  for  each  positive  integer  j,  S  includes  a  unique  element 
(*,  j),  and  for  each  positive  integer  i,  it  includes  at  most  one  element  (*',  j).  We  say  that  a  delivery 
set  is  monotone  provided  there  are  no  pairs  and  (*2 » J2)  in  S  with  fr  <  i2  and  j\  >  j2. 

The  state  of  the  physical  channel  Ct,r,p  has  two  counters,  counter  j  and  counter 2,  an  infinite 
monotone  delivery  set  5  of  pairs  of  positive  integers,  and  a  partial  mapping  packet  from  the  set 
of  positive  integers  to  P.  The  counter  counter\  represents  the  number  of  sendjpkt  actions,  and 
counter 2  represents  the  number  of  receivejpkt  actions,  that  have  occurred  so  far.  The  set  S 
determines  which  packets  are  delivered,  and  in  what  order  -  it  contains  pairs  (i,j)  that  correlate 
the  jp'-th  receivejpkt  event  with  the  z-th  sendjpkt  event.  Thus  the  restrictions  in  the  definition  of 
a  delivery  set  correspond  to  the  conditions  (DLl).  The  mapping  packet  associates  with  an  integer 
i  the  packet  that  was  sent  in  the  i-th  sendjpkt  event.  Initially  counter \  and  counter2  are  zero  and 
packet  is  undefined  everywhere.  In  a  particular  execution,  the  set  S  is  initialized  to  an  arbitrary 
monotone  delivery  set  and  remains  fixed. 

The  transition  relation  for  the  automaton  Ct'r,p  consists  of  all  triples  (s',7r,s)  described  by  the 
following  code.1 

^his  style  of  describing  I/O  Automata  by  giving  preconditions  (that  is,  conditions  on  s')  and  effects  (that  is, 


send.pkt*'T(p ) 

Effect:  counteri  <—  counteri  +  1 
packet(counterx)  *-  p 

receive jpkti'T  {jp) 

Precondition:  packet(i )  =  p  and  (i,  counter 2  +  1)  €  5,  for  some  i 
Effect:  counter 2  <—  counter 2  +  1 

The  partition  puts  all  the  output  actions  of  Ct'T>p  (that  is,  all  the  receivejpktt'T{p)  actions,  for 
all  p  €  P)  in  a  single  class. 

Lemma  5.1  The  automaton  Ct,T,p  is  a  FIFO  physical  channel. 

Proof:  We  must  show  that  fairbehs(Ct,r,p)  C  sched,s(PL  —  FIFOt,r'p).  Let  (3  be  a  fair  behavior 
of  Ct,r,p.  We  must  show  that  there  exists  a  correspondence  relation  that  makes  (PL1),  (PL2)  and 
(PL3)  true.  Since  f3  is  a  fair  behavior  of  Ct,T,p,  there  is  a  fair  execution  a  of  Ct,r'p  with  f3  as  its 
behavior.  Let  Sq  be  the  value  of  the  monotone  delivery  set  S  in  the  execution  a.  We  construct 
a  correspondence  relation  from  So  as  follows:  if  ir  is  the  i-th  sendjpktt'r  event  in  /?,  and  <f>  is  the 
j-th  receivejpktt'T  event  in  /?,  then  let  7r  correspond  to  <f>  exactly  if  (i,  j)  (E  Sq.  The  fact  that  (PL1) 
and  (PL2)  hold  for  this  choice  of  correspondence  relation  follo-vs  from  the  properties  of  monotone 
delivery  sets. 

To  prove  that  (PL3)  holds,  we  suppose  that  on  the  contrary  /?  contains  a  finite  number  N  of 
receive.pktt'T  events  and  infinitely  many  send.pkt t<T  events.  Thus  in  a  all  the  states  after  the  last 
receive-pktt'r  event  have  counter 2  =  N.  Now  since  So  is  a  monotone  delivery  set,  So  contains 
(t,  N  +  1)  for  some  positive  integer  *.  Let  the  i-th  sendjpktt’T  event  in  /3  be  send_pktt'r(p).  Then 
in  every  state  of  a  after  this  event  packet{i )  =  p.  The  code  for  the  automaton  shows  that  in  every 
state  of  a  after  the  later  of  the  last  receivejpkti,T  event  and  the  i-th  sendjpktt,T  event,  the  action 
receivejpkti'T (p)  is  enabled.  This  contradicts  the  assumption  that  a  is  a  fair  execution. 

□ 

The  following  converse  (which  is  proved  by  reversing  the  construction  of  the  previous  proof) 
shows  that  Ct,r’p  has  among  its  fair  behaviors  all  of  the  schedules  of  the  specification  PL  - 
FIFOt>r'p. 

Lemma  5.2  Suppose  ft  is  in  scheds(PL  -  FIFOt'T'p).  Then  (3  e  fairbehs(Cl’r'p). 

We  can  combine  the  permissive  physical  channels  with  an  arbitrary  data  link  protocol,  as  follows. 
If  A  is  a  data  link  protocol  for  (f,r)  and  (M,  Pi,  P2),  then  let  D(A)  be  the  composition  of  A *,  AT, 
C* ,r,Pl  and  CT,t,Pi.  Also  let  D'(A)  =  htde^(D(A)),  where  $  is  the  subset  of  acts(D(A))  consisting 
of  send-pkt  and  receive-pkt  actions.  By  virtue  of  Lemmas  5.1  and  5.2,  we  have  the  following  result: 

Proposition  5.3  A  data  link  protocol  A  is  correct  (respectively,  weakly  correct)  if  and  only  if  D'{A) 
solves  the  specification  module  DLl'T,M  (respectively,  WDLt'T,M ). 

imperatives  to  be  executed  sequentially  to  transform  s'  to  give  s)  is  used  in  [10].  It  is  not  fundamental  to  the  model, 
but  is  rather  a  notational  convenience  for  describing  sets  of  triples. 
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The  following  corollary  will  be  used  in  our  subsequent  proofs. 

Corollary  5.4  Suppose  that  A  is  a  wes  a  weakly  correct  data  link  protocol.  Then  in  every  fair 
behavior  of  D'(A),  the  number  of  sendjm.sgi'r  events  is  equal  to  the  number  of  receivejmsg t,r 
events. 

Proof:  By  Proposition  5.3,  it  must  be  that  D'{A)  solves  the  specification  module  WDLt,r,M,  i.e., 
every  fair  behavior  of  D'(A)  is  a  schedule  of  WDLt'T,M .  The  conclusion  follows  from  Lemma  3.1. 

□ 


6  Impossibility  of  Having  All  Packets  Identical 

We  show  here  the  impossibility  of  constructing  a  weakly  correct  data  link  protocol  that  uses  only  a 
single  type  of  packet  (and  so  needs  no  header)  to  transmit  a  sequence  of  identical  messages.  This 
result  seems  weaker  than  the  result  we  want  (that  it  is  impossible  to  construct  a  weakly  correct 
data  link  protocol  where  all  packets  contain  the  same  header)  but  in  the  next  section  we  will  show 
that  in  fact  the  desired  result  follows  from  this.  By  making  this  simplification  we  postpone  some  of 
the  difficult  modeling  issues,  and  allow  the  reader  to  see  the  style  of  impossibility  proof  in  a  simpler 
setting.  The  technique,  of  measuring  the  number  of  headers  by  the  size  of  the  packet  alphabet 
when  the  message  alphabet  has  size  one,  was  used  earlier  without  formal  proof  of  a  reduction  result 
in  [12]. 

The  proof  takes  the  following  form:  we  assume  that  A  is  a  weakly  correct  data  fink  protocol 
in  which,  in  each  direction,  all  packets  are  identical.  Then  Corollary  5.4  implies  that,  in  every 
fair  behavior  of  D'(A),  the  number  of  sendjmsgt,r  events  is  equal  to  the  number  of  receive jmsgt,r 
events.  We  deduce  a  series  of  facts  about  the  states  of  the  end  stations  during  executions  of  D'(A ), 
by  showing  that  the  failure  of  one  of  these  facts,  coupled  with  the  previously  derived  facts,  would 
enable  us  to  construct  a  fair  behavior  in  which  the  number  of  send.msct’r  events  is  unequal  to  the 
number  of  receive jmsgt,r  events.  Finally,  we  use  these  facts  to  construct  two  fair  executions  of 
Z)'(A)  with  identical  projections  at  the  receiving  automaton,  but  in  one  of  which  two  messages  are 
sent  while  in  the  other  only  one  message  is  sent.2  Since  the  projections  at  the  receiver  are  equal, 
the  two  executions  contain  the  same  number  of  receivejmsgi,T  events.  Thus  one  of  them  will  have 
the  number  of  sendjmsgt,T  events  unequal  to  the  number  of  receivejmsgt,T  events.  This  yields  a 
contradiction  to  the  original  assumption  that  the  protocol  was  weakly  correct. 

Now,  we  will  restrict  our  attention  to  the  situation  where  each  of  A1  and  Ar  is  deterministic , 
that  is,  at  most  one  locally  controlled  action  is  enabled  in  each  state,  and  at  most  one  new  state 
can  be  reached  by  applying  an  action  in  a  state.  As  we  will  see  later,  this  involves  no  loss  of 
generality.  Given  a  state  of  an  end  station  (i.e.,  A 1  or  AT)  in  such  a  protocol,  there  is  a  unique 
maximal  execution  fragment  of  that  automaton  that  commences  with  the  given  state  and  includes 
no  input  actions.  (This  execution  corresponds  to  running  the  automaton  from  the  given  state  in 
such  a  way  that  it  receives  no  inputs,  for  as  long  as  it  can  keep  taking  steps.)  We  wifi  say  that  the 
given  state  is  quiescing  if  this  fragment  contains  only  finitely  many  sendjpkt t,r  (or  send.pktT,i ,  as 
appropriate)  events. 

sThat  is,  in  these  situations  the  receiver  does  not  know  how  many  messages  were  sent. 
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Our  first  lemma  says  that  from  any  state  in  any  execution,  if  the  transmitting  automaton  is  run 
without  receiving  any  inputs  (that  is,  with  no  sendjmsg *'r  or  receivejpkt*'1  events)  then  it  must 
send  only  finitely  many  packets  to  the  receiver. 

Lemma  6.1  If  A  is  a  weakly  correct  data  link  protocol  for  (t,r)  and  (Af,  Pi,  P’2)  with  |Pi|  =  IP2I  = 
1,  A*  and  Ar  are  deterministic,  and  a  is  a  finite  execution  of  D'(A),  then  A *  is  quiescing  in  the 
final  state  of  a. 

Proof:  The  idea  of  the  proof  is  as  follows.  If  A *  sends  infinitely  many  packets  with  no  response 
then  AT  has  no  hope  of  determining  how  many  sendjmsg*'1  events  have  happened.  In  particular,  we 
show  that  AT  cannot  tell  the  difference  between  the  situation  in  which  one  additional  sendjmsg*'1 
event  occurs  after  the  given  finite  execution  and  the  situation  in  which  no  such  events  occur. 

More  precisely,  suppose  that  A*  is  not  quiescing  in  the  final  state  of  o.  Let  /?  =  sched(a). 
Then  consider  the  schedule  fl  sendjmsg*'1  {m ')  where  ml  is  some  arbitrary  message  in  the  message 
alphabet  of  A.  This  schedule  has  an  extension  that  is  fair  and  contains  no  extra  sendjmsg*'1  events 
(by  Lemma  A.l).  By  Corollary  5.4,  there  is  a  finite  prefix  of  this  extension,  say  /3send^msg*’T(m')/3' 
which  contains  as  many  receivejmsg*’1  events  as  there  are  sendjmsg*’1  events  in  fi sendjmsg* 
namely,  one  more  than  the  number  of  sendjmsg*’1  events  in  a. 

Let  k  be  the  number  of  receivejpkt*'1  events  in  /3'.  Since  we  assumed  that  a  ended  with  A*  not 
quiescing,  we  can  find  a  schedule  of  A*  that  is  an  extension  of  /? \A*,  say  {fl\At)r),  with  7  containing 
only  output  actions  of  A*,  including  k  send.pkt*'1  events  (but  no  sendjmsg*'1  or  receivejpkt1'* 
events). 

Now  we  consider  the  sequence  A1)  of  actions  of  D'{A).  We  show  that  this  sequence 

is  a  (not  necessarily  fair)  schedule  of  D'{A),  by  showing  that  its  projection  on  each  of  the  four 
components  of  the  system  is  a  schedule  of  that  component. 

1.  This  sequence  has  projection  on  A*  equal  to  (/3jAt)7,  which  is  a  schedule  of  A*  by  construction. 

2.  It  has  projection  on  A1  equal  to  (/?/3')| A1  (since  7  involves  only  actions  of  A*),  and  this  is  a 
schedule  of  A1  since  it  is  equal  to  ((3send.msg*'1(m,)0')\A1 . 

3.  It  has  projection  on  C*'r,Pi  equal  to  (f}\Ct'1'Pl)(‘y\Ct’T’Pl)((f3,\A1)\C*’T,Pl),  which  is  a.  schedule 
of  C*’T'Pl  since  7I C*'r'Pi  is  a  sequence  of  k  sendjpkt*'1  (p)  events,  and  (^,\A1)\C*’1’Pl  is  a 
sequence  of  k  receivejpkt*'1  (p)  events,  where  p  is  the  unique  element  of  the  packet  alphabet 
Pi- 

4.  It  has  projection  on  CT'*’P'1  equal  to  (P\CT'*’p'i)({fi'\A1)\Cr'*'P2)  (since  7  involves  only  output 
actions  of  A*,  and  thus  no  actions  of  CT'*,Pl)  and  this  is  a  schedule  of  CT'*,Pi  since  (/?,|A^)|C'^’t’^,2 
consists  only  of  sendjpkt1'*  events,  which  are  inputs  to  C1'*’^  (and  I/O  automata  must  be 
input-enabled). 

Since  its  projection  on  each  component  is  a  schedule  of  that  component,  the  sequence  /3j(/3'\AT)  is 
a  schedule  of  D'(A ),  by  Lemma  A.4. 

Now  consider  the  two  schedules  A1)  and  (f3)send-msgt’T(m')^' .  They  both  have  the  same 

projection  on  A1  and  hence  contain  the  same  number  of  receivejmsg*'1  events.  By  the  argument 
at  the  beginning  of  this  proof,  this  number  is  exactly  one  more  than  the  number  of  send.msg t,r 
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events  in  0.  On  the  other  hand,  the  number  of  stndjmsgt,r  events  in  0i(0'\AT)  is  the  same  as  the 
number  of  sendjmsgt'T  events  in  0~/  (the  two  schedules  having  the  same  projection  on  A1 2 3 4),  and  this 
is  the  same  as  the  number  of  sendjmsgt,r  events  in  0,  which  we  just  showed  is  one  fewer  than  the 
number  of  receive.msgt<T  events  in  same  schedule  0^(0'\AT). 

Now  when  we  consider  a  fair  extension  of  07(0'\ AT)  that  contains  no  further  send^msgt’T  events, 
we  find  that  it  contains  more  receive jmsgt,T  events  than  send-msgt,T  events.  This  contradicts 
Corollary  5.4.  Thus  our  assumption  (that  the  lemma  was  false)  must  be  invalid.  □ 

Our  second  lemma  says  that  from  any  state  in  any  execution,  if  the  receiving  automaton  is  run 
without  receiving  any  inputs,  then  it  must  send  infinitely  many  packets  to  the  transmitter. 

Lemma  6.2  If  A  is  a  weakly  correct  data  link  protocol  for  (f,r)  and  {M,P\,P2)  with  |Pi|  =  |.P2|  = 
1,  A*  and  Ar  are  deterministic,  and  a  is  a  finite  execution  of  D'{A),  then  Ar  is  not  quiescing  in 
the  final  state  of  a. 

Proof:  Suppose  the  contrary:  that  Ar  is  quiescing  in  the  final  state.  Once  again,  we  reach  a 
contradiction  by  constructing  two  fair  schedules  of  D\A)  with  the  same  number  of  receive_msgt'T 
events,  but  different  numbers  of  sendjmsgt,T  events.  Let  07  be  the  maximal  execution  fragment 
of  A1  containing  no  inputs  and  starting  from  the  state  of  A 1  at  the  end  of  a.  Similarly  let  £*2  be 
the  maximal  execution  fragment  of  Ar  containing  no  inputs  and  starting  from  the  state  of  AT  at 
the  end  of  a.  By  definition,  the  projection  of  007  on  A1  is  a  fair  execution  of  A *,  and  likewise  the 
projection  of  aa2  on  Ar  is  a  fair  execution  of  Ar .  By  Lemma  6.1  07  contains  only  finitely  many 
send~pktt’T  events,  and  by  assumption  a2  contains  only  finitely  many  sendjpktT •*  events.  Now  we 
consider  any  sequence  of  actions  7  formed  by  interleaving  the  sequences  sched(ai)  and  sched(a2). 

We  claim  that  sched(a) 7  is  a  fair  schedule  of  D'{A).  We  show  this  by  showing  that  its  projection 
on  each  of  the  four  components  of  the  system  is  a  fair  schedule  of  that  component. 

1.  Its  projection  on  A 1  is  just  (sched(a\At))sched(ai),  which  is  a  fair  schedule  of  Af  by  the 
definition  of  07 . 

2.  Its  projection  on  Ar  is  (sc/ied(ajAr))sche<f(a2)  which  is  a  fair  schedule  of  AT . 

3.  Its  projection  on  Ct,r,Pl  is  just  the  projection  of  sched(a)  on  that  channel  followed  by  a  finite 
number  of  send_pktt’T  events.  This  is  of  course  a  schedule  of  Ct’T,Pl,  and  is  fair  because  the 
delivery  set  could  specify  the  loss  of  all  of  the  finite  number  of  packets  sent  but  not  delivered. 

4.  Similarly  the  projection  on  CT,t'Pl  is  a  fair  schedule  of  CT,t,Pi. 

Since  its  projection  on  each  component  is  a  fair  schedule  of  that  component,  Lemma  A.4  implies 
that  sched(a) 7  is  a  fair  schedule  of  D'{A).  By  Corollary  5.4  the  number  of  receivejmsgt,T  events 
in  sched(a)~f  equals  the  number  of  send-msgt,r  events. 

Now  we  construct  another  fair  schedule,  sched(a)send-msgt,r (m) 7',  which  contains  the  same 
number  of  receive.msgi'r  events  in  sched(a),y  but  one  fewer  send.msgi,T  event,  which  yields  a 
contradiction.  More  specifically,  consider  asend.msgi'r(m),  where  m  is  an  arbitrary  element  of  the 
message  alphabet. 

Let  c*3  be  the  maximal  execution  fragment  of  A1  containing  no  inputs  and  starting  from  the  state 
of  Ai  at  the  end  of  asend.msgt’r(m).  By  Lemma  6.1,  03  contains  only  finitely  many  send.pktt<r 
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events.  Now  we  consider  the  sequence  of  actions  7'  formed  by  interleaving  (in  any  fashion)  the 
sequences  sched(az)  and  sched(a 2).  Just  as  above,  sched(a)send-msgt,T(m) 7'  is  a  fair  schedule  of 
D'(A),  and  so  by  Corollary  5.4,  the  number  of  receive.msgt'T  events  in  sched(a)sendjmsgt'T  {m) 7' 
is  equal  to  the  number  of  send.msgt,T  events.  However,  since  sched(a)send.msgt,r(m)^'\Ar  and 
sched(a)'f\Ar  are  both  equal  to  sched(a\Ar)sched(a2),  we  see  that  the  number  of  receivejmsg t<r 
events  in  sched{a)sendjmsgt,r(m) 7'  is  the  same  as  the  number  of  receivejmsgt,r  events  in  sched( 0)7 . 
By  the  equalities  proved  above,  this  implies  that  sched(a) 7  and  sched(a)send.msgt'r(m) 7'  contain 
the  same  number  of  sendjtnsgt'r  events,  which  is  false.  Thus  our  assumption  (that  the  lemma  was 
false)  is  invalid.  □ 

The  next  lemma  further  characterizes  the  behavior  of  a  weakly  correct  data  link  protocol  by 
showing  that  the  transmitter  must  both  send  and  receive  infinitely  many  packets. 

Lemma  6.3  If  A  is  a  weakly  correct  data  link  protocol  for  (t,  r )  and  (M,  Pi,  P2)  with  |Pi|  =  I-P2I  = 
1,  A*  and  Ar  are  deterministic,  and  a  is  a  fair  execution  of  D'(A)  that  contains  a  finite  non-zero 
number  of  sendjmsgi,T  actions,  then  a|A‘  contains  infinitely  many  send.pktt<T  actions  and  infinitely 
many  receivejpkt* >*  actions. 

Proof:  We  show  that  every  other  possibility  leads  to  a  contradiction. 

1.  Suppose  a|A*  contains  infinitely  many  send.pkti'r  actions  and  finitely  many  receivejpkt* >‘ 
actions.  Then  there  is  a  suffix  of  a\Al  that  contains  no  input  actions  (neither  send_msgt’r 
nor  receivejpkt *’t  actions)  but  contains  infinitely  many  scndjpkt1'*  actions.  The  state  of  A‘ 
at  the  start  of  this  suffix  must  be  not  quiescing,  which  contradicts  Lemma  6.1. 

2.  Suppose  ct|  A*  contains  finitely  many  sendjpktt,T  actions  and  finitely  many  receivejpkt*’1  ac¬ 
tions.  Then  «|Ar  contains  finitely  many  receivejpkt t,r  actions  (since  the  channel  C*,r,Pl 
delivers  at  most  as  many  packets  as  were  sent)  and  contains  finitely  many  sendjpktr actions 
(since  a  fair  execution  of  C*,t,P2  would  contain  an  infinite  number  of  receivejpkt*'1  events  if 
it  contained  an  infinite  number  of  send.pkt*'1  events).  Thus  there  is  a  suffix  of  a|Ar  that 
contains  no  input  events  and  only  a  finite  number  of  send-pktr,t  events.  The  state  of  AT  at 
the  start  of  this  suffix  is  quiescing,  which  contradicts  Lemma  6.2. 

3.  Suppose  a\Al  contains  finitely  many  send.pkt*’*  actions  and  infinitely  many  receivejpkt*'1 
actions.  First  consider  the  maximal  execution  of  Ar  starting  from  the  initial  state  of  Ar  and 
containing  no  input  actions.  This  execution  is  a  fair  execution  of  Ar.  Let  (3  be  the  schedule  of 
this  execution.  By  Lemma  6.2,  (3  contains  infinitely  many  send.pkt* -1  actions.  Let  7  be  the  se¬ 
quence  of  actions  obtained  by  interleaving  (3  and  sched(a\At)  in  such  a  way  that  for  each  i  the 
t-th  receivejpkf'1  action  is  immediately  preceded  by  the  t-th  send.pktr,t  action.  We  claim  that 
7  is  a  fair  schedule  of  D'(A).  Its  projections  on  A*  and  Ar  are  fair  schedules  by  construction. 
Its  projection  on  Cr,t,p'J  is  just  sendjpktT't{p)receivejpktT't{p)sendjpktr't{p)TeceivejpktT't{p) . . . 
(where  P2  =  {p})  which  is  a  fair  schedule,  and  its  projection  on  Ct,T,Pi  is  a  fair  schedule  since 
it  consists  of  the  sending  of  a  finite  number  of  packets  and  the  delivery  of  none  (as  (3  contains 
no  inputs  to  Ar,  in  particular  no  receivejpkt t,r  actions)  and  this  can  be  achieved  by  a  suitable 
delivery  set. 
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We  observe  that  /?  (and  hence  7)  cannot  contain  any  receivejmsgt,T  action.  (Otherwise,  take 
the  prefix  of  (3  up  to  and  including  the  first  receivejmsgl'T  event,  regard  it  as  a  schedule  of 
D\A )  where  all  the  actions  take  place  at  Ar,  and  extend  it  to  a  fair  schedule  of  D'(A)  which 
contains  no  inputs  to  D'(A),  that  is,  no  send.msgt,r  actions.  This  contradicts  Corollary  5.4.) 
However,  7  contains  a  non-zero  number  of  sendjmsg t<r  events  (the  same  ones  as  in  a).  Thus 
7  is  a  fair  schedule  of  D'(A)  which  does  not  contain  the  same  number  of  receivejmsgt'T  events 
as  of  send_msgt,T  events,  contradicting  Corollary  5.4. 

□ 

The  final  lemma  allows  us  to  construct  two  executions  that  look  identical  to  the  receiver,  but 
have  different  numbers  of  messages  sent  at  the  transmitting  end. 

Lemma  0.4  Let  A  be  a  weakly  correct  data  link  protocol  for  ( f,r )  and  (M,  Pi,P2)  with  |Pi|  = 
|P2|  =  1,  such  that  A 1  and  AT  are  deterministic.  Let  07  and  a2  be  two  fair  executions  of  D'(A) 
such  that  sched(ai)  begins  with  send.msgt'T{m)  and  contains  no  other  send„msgt,T  event,  and 
sched^ocf)  begins  with  send-msgt'r(m)send-msgt,r(m )  and  contains  no  other  sendjmsg t<r  event. 
There  exist  fair  executions  di  and  d2  of  D'{  A)  such  that  d;|A‘  =  a,  |  A1  for  i  =  1,2,  and  such  that 
ati\Ar  =  d2|Ar. 

Proof:  Applying  Lemma  6.3  to  the  execution  07,  we  see  that  we  may  express  sched(ai\Al)  as 

send_m«0t,r(m)0i7i0i7i/*i . . . 

where  f3[  consists  only  of  internal  or  send.pktt,T  actions,  7{  consists  only  of  internal  or  receivejpkV ’* 
actions,  and  where  each  j3\  (except  possibly  /?j)  and  each  7}  contains  a  finite,  non- zero  number  of 
sendjpktt'r  or  receivejpkV >*  events.3  Let  a\  denote  the  number  of  receivejpkV <*  events  in  7} . 
Similarly,  we  see  that  we  may  express  sched{ai\At )  as 

send_msgt,r(m)send_msgi<,r(m)/?272/3272^2  . . . 

where  (32  consists  only  of  internal  or  send.pkV’r  actions,  73  consists  only  of  internal  or  receivejpkV'* 
actions,  and  where  each  j3\  (except  possibly  fi2)  and  each  73  contains  a  finite,  non- zero  number  of 
send^pkt1'1"  or  receivejpkV'*  events.  Let  a2  denote  the  number  of  receivejpkV ’*  events  in  73. 

We  construct  inductively  finite  schedules  6{  and  S2  of  D'(A)  such  that 

b{\ A1  =  send-msgt’T(m)Pl~fl . . 

b2\A*  =  send.msg*’r  (m)send.msgt’r  (m)f3] 73  . .  .72_1/?2, 

b{\Ar  =  b2\Ar ,  and  Sj  is  an  extension  of  for  i  =  1,2. 

The  base  case  of  the  construction  is  straightforward,  as  we  put  =  sendjmsg*'T  {m)(3\  and 
62  =  send-msgt’T(m)send-msgt’r(m)/32.  Suppose  S and  <^_1  have  been  constructed.  By  Lemma 
6.2,  the  (uniquely  defined,  by  determinism)  state  of  AT  at  the  end  of  b{~x  is  not  quiescing,  and 
therefore  there  is  an  execution  fragment  of  AT  starting  from  that  state  containing  max(a^-1,a^-1) 

3The  exception  is  due  to  the  fact  that  we  do  not  know  whether  the  first  packet  sent  by  4*  precedes  or  follows  the 
first  packet  received  by  A* . 
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send_pktT,t  events  and  (possibly)  internal  events  and  receivejmsgl'r  events,  but  no  input  events, 
(i.e.,  no  receive jpktt,T  events).  Let  the  schedule  of  this  execution  fragment  be  rf.  We  set  = 
6i~1T}jy{~1/3{receive-pktt’r(p),  where  Pi  =  {p}.  We  show  that  Sj  is  a  schedule  of  D'(A)  by  showing 
that  its  projection  at  each  component  is  a  schedule  of  that  component: 

1.  The  projection  on  A*  is  (6[~1\Ai)yl~1(3i,  which  is  a  prefix  of  sched{a\)\At  and  so  is  a  schedule 
of  A1. 

2.  The  projection  on  AT  is  (^i-1|Ar)??'7receti;e_pfcf<’r(p),  which  is  a  schedule  of  Ar  because  if 
can  occur  starting  from  the  state  after  6l~1\Ar  and  receive.pktt,T  is  an  input  action  of  Ar . 

3.  Its  projection  on  Ct,T,Pl  is  a  schedule  of  Ct’T,Pl  because  contains  at  least  one  send.pkti,r(p ) 
event.  (The  rest  may  be  “lost”.) 

4.  Its  projection  on  Ct,T,Pl  is  a  schedule  of  Ct,r'P’1  because  rf  contains  at  least  a\~l  send-pktr't(p> ) 
actions,  so  that  there  are  enough  packets  sent  in  6{  to  account  for  those  received. 

We  now  set  6%  =  b^rfy^1  (}2receivejpktt'r{p).  The  same  argument  as  for  shows  that  S2  is 
a  schedule  of  D'(A).  The  fact  that  b\\AT  =  62\AT  follows  easily  using  the  inductive  hypothesis  that 

=  CV- 

Thus,  it  is  clear  that  b(  and  S2  have  the  properties  claimed  for  them.  Now  let  <§i  denote  the 
limit  of  the  successively  extended  schedules  6{.  Similarly  let  S2  denote  the  limit  of  S2.  Thus  <5,  is  a 
schedule  of  P'(A),  for  i  —  1,2.  We  claim  that  in  fact  6,  is  a  fair  schedule  of  D'{A).  To  show  this 
we  consider  the  projection  on  each  component.  Each  of  the  projections  bfA1  and  8%\AT  contains 
infinitely  many  locally  controlled  events  by  construction,  and  so  is  fair  (using  determinism).  Each 
of  the  projections  on  a  physical  channel  contains  infinitely  many  packet  deliveries,  and  so  is  fair  by 
the  definition  of  the  permissive  channels.  Let  d;  be  a  fair  execution  of  D\A)  with  schedule  6t  for 
i  =  1,2.  This  completes  the  construction.  □ 

Proposition  6.5  There  is  no  weakly  correct  data  link  protocol  for  ( t ,  r)  and  ( M ,  P\ ,  P2)  with  |Pi|  = 
1^1  =  1. 


Proof:  Assume  that  A  is  a  weakly  correct  data  link  protocol  with  |Pi|  =  |P2|  =  1* 

First,  we  deal  with  the  potential  non- determinism  of  the  end-stations.  By  a  result  of  Goldman 
and  Lynch  [7],  there  is  a  deterministic  automaton  B(  (respectively,  Br)  with  fair  behaviors  that  are 
a  subset  of  the  fair  behaviors  of  A*  (respectively,  Ar).4  Put  B  =  (Bl,  BT),  which  is  also  a  data  link 
protocol  with  |Pi|  =  |P2|  =  1.  Now  by  Lemmas  A. 2  and  A.4,  fairbehs(D'(B ))  C  fairbehs(D'(A)), 
and  so  B  is  weakly  correct  (using  Lemma  5.3  and  the  fact  that  A  is  weakly  correct). 

Now,  let  m  be  an  arbitrary  element  of  the  message  alphabet.  By  Lemma  A.l,  there  are  fair 
executions  ai  and  a2  of  D'(B )  such  that  sched(a i)  begins  with  send-msgt<r(m )  and  contains  no 
other  send-msgt'T  event,  and  sched(a2 )  begins  with  send-msgt,T {m)sendjmsgt<r (m)  and  contains 
no  other  send-msgt,r  event.  Consider  the  fair  executions  di  and  a2  whose  existence  is  shown 
in  Lemma  6.4.  Since  the  protocol  B  is  weakly  correct,  each  a,  satisfies  Corollary  5.4  (that  is, 

4The  proof  is  actually  left  as  an  exercise  in  [7],  However,  the  idea  is  not  hard:  given  an  I/O  automaton  that  is  not 
necessarily  deterministic,  one  first  removes  all  except  one  step  (s',  t,  s)  for  each  given  s'  and  partition  class.  Then 
one  simulates  the  resulting  machines  with  a  single-class  machine  that  gives  fair  turns  to  all  the  classes. 
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the  number  of  receivejmsgt’T  events  in  d,-  equals  the  number  of  sendjmsgt'T  events  in  d;).  Now 
the  number  of  send.msgt'T  events  in  d,  is  just  the  number  of  send.msgt>r  events  in  d,jZ>'  which 
equals  the  number  of  sendjmsgt'T  events  in  a,|P*  by  the  properties  of  d,.  Since  a, | Bl  contains  t 
send.msgt,T  events,  we  deduce  that  dj  contains  i  receivejnsgt'T  events,  contradicting  the  fact  that 
di|2?r  and  d2|Pr  are  equal,  and  so  contain  the  same  number  of  receivejmsgt'T  events.  □ 

7  Defining  Headers  in  Protocols  with  Infinite  Packet  Alphabet 

Most  data  link  protocols  in  the  literature  use  a  finite  packet  alphabet  in  each  direction,  since  packets 
are  required  to  be  of  limited  size.  However,  it  is  normally  the  case  that  the  packets  are  treated  as 
having  two  separate  parts:  a  header  (which  determines  what  is  to  be  done  with  the  packet)  and  an 
encapsulated  message  (treated  as  an  uninterpreted  bit  string).  Indeed,  one  can  envisage  protocols 
that  allow  packets  of  unbounded  size  because  the  included  messages  may  have  unbounded  size,  and 
yet  use  only  a  fixed  size  of  header  (and  thus  a  finite  number  of  headers).  Here  we  sketch  one  way  in 
which  one  can  model  the  existence  of  headers  in  a  protocol,  without  assuming  that  the  packets  are 
necessarily  structured  explicitly  with  two  parts,  one  a  control  field  and  the  other  an  uninterpreted 
message. 

We  model  the  “headers”  used  by  a  protocol  as  follows.  Let  A  =  (A1,  AT)  be  a  data  link  protocol 
for  (t,  r)  and  ( M ,  Pi ,  P2).  Let  =  be  an  equivalence  relation  on  the  domain  M  U  P\  U  P2  U  states(At )  U 
states(Ar)  U  acts(At )  U  acts(Ar).  Then  =  is  said  to  be  a  header  relation  for  A  provided  that  the 
following  conditions  hold. 

1.  =  only  relates  elements  of  the  same  kind,  i.e.,  elements  of  Af,  or  Pi,  or  states(At ),  etc.  Also, 
a  start  state  cannot  be  related  to  a  non-start  state.  Moreover,  if  a  =  a'  for  two  actions  a 
and  a1,  then  a  and  a'  are  identical  except  possibly  for  a  difference  in  their  message  or  packet 
parameter.  Further,  every  pair  a  and  o'  of  locally  controlled  events  of  A *  (respectively,  of  Ar) 
such  that  a  =  a1,  a  and  a'  are  in  the  same  class  of  part(Al)  (respectively,  of  part(AT)). 

2.  For  each  pair  m,  m'  of  messages  in  M,  send.msgt,T(m)  =  sendjm,sgt'r{m ')  if  and  only  if 
m  =  m\  and  receivejmsgt,r(m)  =  receivejmsgt'T{m')  if  and  only  if  m  =  m' . 

3.  For  each  pair  p,pt  of  packets  in  Pi,  sendjpktt'T{p)  =  send.pktt,T (p1)  if  and  only  if  p  =  j/,  and 
receivejpktt>T (p)  =  receivejpktt'T{pf )  if  and  only  if  p  =  pf. 

4.  For  each  pair  p,pf  of  packets  in  P2,  sendjpktr't{p)  =  send.pktT,t(j/)  if  and  only  if  p  =  //,  and 
receive4>ktT’t(p)  =  receive.pktr,t(j/)  if  and  only  if  p  =  j/. 

5.  For  every  two  states  q  and  q1  of  A*  (respectively,  of  AT)  with  q  =  q1,  if  action  a  is  enabled  in 
q  then  there  is  an  action  a'  with  a  =  a\  such  that  a'  is  enabled  in  q1. 

6.  For  every  two  states  q  and  q'  of  A 1  (respectively,  of  Ar)  and  every  two  actions  a  and  a'  of  A * 
(respectively,  of  Ar)  such  that  q  =  q'  and  a  =  a',  if  r  is  a  state  such  that  ( q,a,r )  is  a  step  of 
A 1  (respectively,  of  Ar)  and  action  a1  is  enabled  in  state  q\  then  there  exists  a  state  r'  such 
that  r  =  r'  and  ( q',a',r ')  is  a  step  of  A*  (respectively,  of  Ar). 

For  a  data  link  protocol  A  for  (t,  r)  and  (M,  Pi,  P2)  with  a  header  relation  =,  we  define  the  set 
header s(A,  t,  r,  =)  to  be  the  set  of  equivalence  classes  of  packets  in  Pi-  Similarly  header s(  A,  r,  t,  =) 
is  the  set  of  equivalence  classes  of  packets  in  P2.  We  think  of  each  equivalence  class  of  packets  as 
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being  those  (in  one  direction)  with  the  same  pattern  of  bits  in  the  header.  Informally,  the  way  a 
packet  is  processed  must  depend  only  on  the  header  -  for  example,  if  receiving  a  packet  takes  the 
protocol  to  a  state  where  release  of  a  message  to  the  higher  layer  is  possible,  then  receiving  any 
other  packet  containing  the  sarnie  header  will  also  take  the  protocol  to  a  state  where  release  of  a 
message  to  the  higher  layer  is  possible  (however,  it  may  be  a  different  message  that  is  released!) 
We  note  that  for  a  data  link  protocol  A ,  the  diagonal  relation,  where  each  message,  action  etc.  is 
equivalent  only  to  itself,  is  a  header  relation  for  A.  We  say  that  A  has  no  header  under  =  if  each 
of  header s( A,  t,  r,  =)  and  header s(A,  r,  t,  =)  is  a  singleton  set,  that  is,  all  packets  in  Pi  are  related 
by  =,  as  are  all  packets  in  P2.  We  say  that  A  has  no  header  if  there  exists  a  header  relation  =  for 
A  such  that  A  has  no  header  under  =. 

In  order  to  prove  that  headers  are  necessary  for  a  data  link  protocol,  we  show  how  to  reduce 
the  question  of  the  existence  of  a  protocol  with  sets  of  header  equivalence  classes  of  a  given  size, 
to  the  question  of  the  existence  of  a  protocol  using  packet  alphabets  of  that  size.  This  will  allow 
us  to  show  that  there  is  no  weakly  correct  data  link  protocol  that  has  no  header  using  our  earlier 
result  that  there  is  no  weakly  correct  data  link  protocol  with  packet  alphabets  of  size  one. 

Proposition  7.1  Suppose  A  =  (A‘,  At)  is  a  weakly  correct  data  link  protocol  for  (t,  r )  and  (Af,  Pi,  Pi). 
If  =  is  a  header  relation  for  A  such  that  \headers(A,t,r,~)\  =  hi  and  |fiea<fers(A,r,t,=)|  =  h2, 
then  there  are  alphabets  M',  P{  and  P\  with  \M'\  =  1,  |P(|  =  hi  and  \P^\  =  h2  and  a  weakly  correct 
data  link  protocol  B  =  (Bl,BT)  for  (t,  r)  and  (Af',  P[,P2). 

Proof:  Choose  m  to  be  an  arbitrary  element  of  Af  and  put  Af'  =  {m},  P{  =  header s( A, t,r,=) 
and  P2  =  headers(A,r,t,=).5  These  alphabets  clearly  have  the  correct  cardinalities.  Now  let  Bl 
be  the  transmitting  automaton  for  (t,r)  and  (Af',  P(,  P2)  defined  as  follows.  The  input  actions  of 
B*  are  3endjmsgt’r(m)  and  receivejpktT't{pI)  where  pi  is  an  element  of  P2,  the  output  actions  are 
sendjpkt1'7  (pi)  where  p'  is  an  element  of  P{,  and  the  internal  actions  are  the  internal  actions  of  A1. 
We  say  that  an  action  x  of  Ai  is  represented  by  an  action  x'  of  Bl  exactly  when  one  of  the  following 
conditions  holds: 

•  x'  is  either  sendjmsgt,r(m)  or  an  internal  action  of  A*  and  x  =  x' 

•  1 k '  is  sendjpkt1*  {pf)  and  7r  =  send.pktt,r(p)  for  some  p  which  is  an  element  of  p' 

•  x'  is  receivejpktT't{p/)  and  x  =  receivejpktT<t{p )  for  some  p  which  is  an  element  of  pi. 

The  states  and  start  states  of  Bl  are  the  same  as  those  of  A*.  The  transition  relation  of  B*  includes 
(s',ir',s)  exactly  when  there  exists  some  7r  that  is  represented  by  7 r'  for  which  (s',x,s)  G  steps(At). 
The  partition  part(B *)  relates  locally  controlled  actions  ir{  and  tt2  exactly  when  pi  rt{Al)  relates 
some  (and  hence  all)  pairs  it  1  and  7r2  such  that  ffi  is  represented  by  irj  and  is  represented  by 

Similarly  let  BT  be  the  receiving  automaton  for  (t,  r)  and  (AT,  P{,  P2)  defined  as  follows.  The 
input  actions  of  Br  are  receive-pki1'* {pf)  where  pi  is  an  element  of  P{,  the  output  actions  are 
receive.msgt,r(m)  and  send-pktr,t(pl)  where  pi  is  an  element  of  P2,  and  the  internal  actions  are  the 
internal  actions  of  Ar.  We  say  that  an  action  x  of  Ar  is  represented  by  an  action  x'  of  Br  exactly 
when  one  of  the  following  conditions  holds: 

5Thus  each  packet  name  in  the  alphabet  P{  is  a  set  of  packet  names  from  the  alphabet  Pi. 
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•  x'  is  either  receivejnsgt,r(m)  or  an  internal  action  of  AT  and  7r  =  x' 

•  x'  is  send.pktr>t(pf)  and  x  =  sendjpktT't(p)  for  some  p  which  is  an  element  of  pf 

•  x'  is  receivejpktt'r{jpf)  and  x  =  receive4>kit'T(p)  for  some  p  which  is  an  element  of  pf. 

The  states  and  start  states  of  Br  are  the  same  as  those  of  Ar.  The  transition  relation  of  BT  includes 
(s',  it',  s)  exactly  when  there  exists  some  x  that  is  represented  by  x'  for  which  (s',  x,  s)  6  steps(AT). 
The  partition  part(Br)  relates  locally  controlled  actions  x(  and  x£  exactly  when  part(AT)  relates 
some  (and  hence  all)  pairs  xi  and  x 2  such  that  xi  is  represented  by  x(  and  X2  is  represented  by  x£. 

It  is  easy  to  check  that  (B4,  BT)  is  a  data  link  protocol  for  (t,  r)  and  (AT,  P{ ,  Pff).  We  claim  that 
it  is  weakly  correct,  proving  the  proposition.  To  prove  the  claim  we  will  consider  an  arbitrary  fair 
execution  Sq,Xj,  s'i,  ...  of  £)(B).  From  this  we  can  construct  an  execution  •  •  • 

of  D{A)  such  that  x;  is  represented  by  xt-  for  each  i,  the  state  of  A 4  (respectively,  of  Ar)  in  s,  is 
the  same  as  the  state  of  B 4  (respectively,  of  Br)  in  s(,  and  the  state  of  Ct,T,Pl  (respectively,  of 
Cr’t’Pi)  in  Si  is  related  tc  the  state  of  Ct,r,pl  (respectively,  of  Cr<t,p?)  in  s'(  in  the  natural  way:  the 
values  for  the  variables  S,  counter \  and  counter 2  are  the  same  in  Ct,T’Pl  (respectively,  in  CT,t'P2) 
as  in  Ct,r’P »  (respectively,  in  CT’t,p^),  and  for  each  n  the  value  of  packet(n)  in  Ct,T'Pl  (respectively, 
in  CT't'P’1)  is  one  element  of  its  value  in  Ct,r,p »  (respectively,  in  CT’t,pl)  except  when  both  values 
are  undefined.6  This  execution  is  in  fact  a  fair  execution  of  D(A),  as  is  seen  by  observing  that 
no  action  receivejmsgt<T(m')  for  m!  m  is  enabled  in  any  state  s,  (using  the  weak  correctness 
of  A  and  the  fact  that  no  action  x;  is  send-msgt'T(m')),  and  that  therefore  if  a  locally  controlled 
action  of  D{A)  is  enabled  in  then  it  is  represented  by  a  locally  controlled  action  of  D(B)  that 
is  enabled  in  s(.  Since  this  execution  is  fair,  its  behavior  is  a  schedule  of  WDLt’r,M.  However  the 
two  executions  have  identical  behavior  (the  actions  differ  only  for  sendjpkt  and  receivejpkt  events, 
which  are  hidden).  Thus  there  is  a  correspondence  between  sendjmsgt'T  and  receivejmsgt,T  events 
that  satisfies  (DL1)  and  (DL3).  Thus  D(B)  satisfies  WDLt,r’M\  and  so  by  Proposition  5.3,  B  is 
weakly  correct.  □ 

Theorem  7.2  There  is  no  weakly  correct  data  link  protocol  that  has  no  header. 

Proof:  Immediate  from  Proposition  6.5  and  Proposition  7.1.  □ 
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A  The  I/O  Automaton  Model 

The  input/output  automaton  model  was  defined  in  [9]  as  a  tool  for  modeling  concurrent  and  dis¬ 
tributed  systems.  We  refer  the  reader  to  [9]  and  to  the  expository  paper  [10]  for  a  complete 
development  of  the  model,  plus  motivation  and  examples.  Here,  we  provide  a  brief  summary  of 
those  aspects  of  the  model  that  are  needed  for  our  results. 

A.l  Actions  and  Action  Signatures 

We  assume  a  universal  set  of  actions ,  and  we  refer  to  a  particular  occurrence  of  an  action  in  a 
sequence  as  an  event. 

An  action  signature  S  is  an  ordered  triple  consisting  of  three  pairwise-disjoint  sets  of  actions. 
We  write  in(S),  out(S)  and  int(S)  for  the  three  components  of  S,  and  refer  to  the  actions  in 
the  three  sets  as  the  input  actions,  output  actions  and  internal  actions  of  S,  respectively.  We  let 
ext(S)  =  in(S)  U  out(S)  and  refer  to  the  actions  in  ext(S)  as  the  external  actions  of  S.  Also,  we 
let  local(S)  =  out(S)  U  int(S),  and  refer  to  the  actions  in  local(S)  as  the  locally-controlled  actions 
of  5.  Finally,  we  let  acts(S)  =  in(S )  U  out(S)  U  int(S),  and  refer  to  the  actions  in  acts(S)  as  the 
actions  of  S.  An  external  action  signature  is  an  action  signature  consisting  entirely  of  external 
actions,  that  is,  having  no  internal  actions. 

A.2  Input/Output  Automata 

An  input/output  automaton  A  (also  called  an  I/O  automaton  or  simply  an  automaton)  consists  of 
five  components: 

1.  an  action  signature  sig(A), 

2.  a  set  states(A)  of  states , 

3.  a  nonempty  set  start(A)  C  states(A)  of  start  states, 

4.  a  transition  relation  steps(A)  C  (states(A)  x  acts(sig(A))  X  states(A)),  with  the  property 
that  for  every  state  s'  and  input  action  n  there  is  a  transition  (s',i r,s)  in  steps(A),  and 

5.  an  equivalence  relation  part(A)  on  local(sig(A)),  having  at  most  countably  many  equivalence 
classes. 

We  refer  to  an  element  (s',7r,s)  of  steps(A)  as  a  step  of  A.  The  step  (s',7r,s)  is  called  an  input 
step  of  A  if  tt  is  an  input  action.  Output  steps,  internal  steps,  external  steps  and  locally-controlled 
steps  are  defined  analogously.  If  (s',n,s)  is  a  step  of  A,  then  7r  is  said  to  be  enabled  in  s'.  Since 
every  input  action  is  enabled  in  every  state,  automata  are  said  to  be  input-enabled.  The  partition 
part(A)  is  an  abstract  description  of  the  underlying  components  of  the  automaton,  and  is  used  to 
define  fairness. 
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An  execution  fragment  of  A  is  a  finite  sequence  SqKi3itt2  •  •  •  7rn.9n  or  an  infinite  sequence 

. .  .irnsn  ...  of  alternating  states  and  actions  of  A  such  that  (s,,  ir,-+i,Si+i)  is  a  step  of  A 
for  every  i.  An  execution  fragment  beginning  with  a  start  state  is  called  an  execution.  We  denote 
the  set  of  executions  of  A  by  execs(A).  A  state  is  said  to  be  reachable  in  A  if  it  is  the  final  state 
of  a  finite  execution  of  A. 

A  fair  execution  of  an  automaton  A  is  defined  to  be  an  execution  a  of  A  such  that  the  following 
condition  holds  for  each  class  C  of  part(A):  if  a  is  finite,  then  no  action  of  C  is  enabled  in  the 
final  state  of  a,  while  if  a  is  infinite,  then  either  a  contains  infinitely  many  events  from  C,  or  else 
a  contains  infinitely  many  occurrences  of  states  in  which  no  action  of  C  is  enabled.  Thus,  a  fair 
execution  gives  “fair  turns”  to  each  class  of  part(A).  Informally,  one  class  of  part(A)  typically 
consists  of  all  the  actions  that  are  controlled  by  a  single  subsystem  within  the  system  modeled  by 
the  automaton  A,  and  so  fairness  means  giving  each  such  subsystem  regular  opportunities  to  take  a 
step  under  its  control,  if  any  is  enabled.  In  the  common  case  that  there  is  no  lower  level  of  structure 
to  the  system  modeled  by  A  (when  all  locally- controlled  actions  are  in  a  single  class  of  part(A )), 
a  fair  execution  is  an  execution  in  which  infinitely  often  the  automaton  is  given  an  opportunity 
to  take  a  locally  controlled  action  if  any  is  enabled.  We  denote  the  set  of  fair  executions  of  A  by 
fairexecs(A). 

The  schedule  of  an  execution  fragment  a  of  A  is  the  subsequence  of  a  consisting  of  actions,  and 
is  denoted  by  sched(a).  We  say  that  /?  is  a  schedule  of  A  if  0  is  the  schedule  of  an  execution  of  A. 
We  denote  the  set  of  schedules  of  A  by  scheds(A).  We  say  that  0  is  a  fair  schedule  of  A  if  (3  is  the 
schedule  of  a  fair  execution  of  A  and  we  denote  the  set  of  fair  schedules  of  A  by  fairscheds(A). 

The  behavior  of  an  execution  or  schedule  a  of  A  is  the  subsequence  of  a  consisting  of  external 
actions,  and  is  denoted  by  beh(a).  We  say  that  f3  is  a  behavior  of  A  if  (3  is  the  behavior  of  an 
execution  of  A.  We  denote  the  set  of  behaviors  of  A  by  behs(A).  We  say  that  (3  is  a  fair  behavior 
of  A  if  /3  is  the  behavior  of  a  fair  execution  of  A  and  we  denote  the  set  of  fair  behaviors  of  A  by 
fairbehs(A).  When  an  algorithm  is  modeled  as  an  I/O  automaton,  it  is  the  set  of  fair  behaviors  of 
the  automaton  that  reflect  the  activity  of  the  algorithm  that  is  important  to  users.  An  important 
operation  on  schedules  or  other  sequences  is  projection.  If  a  is  a  sequence  (of  elements  of  any 
alphabet)  and  $  is  a  set  of  elements,  we  write  a|$  for  the  subsequence  of  a  consisting  of  the 
occurrences  of  those  elements  in  the  set  $.  Thus  if  a  is  an  execution  or  schedule  of  A,  then 
beh(a)  =  a|ext(A). 

We  say  that  a  finite  behavior  or  schedule  (3  of  A  can  leave  A  in  state  s  if  there  is  a  finite 
execution  a  with  0  as  its  behavior  or  schedule,  such  that  the  final  state  in  a  is  s. 

The  following  lemma  says  that  no  matter  what  has  happened  in  any  finite  execution,  and  no 
matter  what  inputs  continue  to  arrive  from  the  environment,  an  automaton  can  continue  to  take 
steps  to  give  a  fair  execution. 

Lemma  A.l  Let  A  be  an  I/O  automaton  and  let  7  be  a  sequence  of  input  actions  of  A. 

1.  Suppose  that  a  is  a  finite  execution  of  A.  Then  there  exists  a  fair  execution  a'  of  A  such  that 
a'  is  an  extension  of  a  and  beh(a')\in(A )  =  (6e/i(a)|tn(A))7. 

2.  Suppose  that  0  is  a  finite  schedule  of  A.  Then  there  exists  a  fair  schedule  0'  of  A  such  that 
0'  is  an  extension  of  0  and  0'\in(A )  =  (/?|in(A))7. 
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A. 3  Schedule  Modules 

In  line  with  our  approach,  where  the  facts  about  an  algorithm  that  are  important  to  its  users  axe 
modeled  by  the  set  of  fair  behaviors  of  an  automaton,  we  also  give  a  formal  model  for  a  problem 
specification  by  a  set  of  sequences  of  actions.  More  precisely,  a  problem  will  be  specified  by  a  pair 
consisting  of  an  action  signature  and  a  set  of  sequences  over  the  actions  in  that  signature.  (In  most 
interesting  cases,  the  action  signature  will  be  an  external  action  signature.)  The  mathematical 
object  used  to  describe  a  problem  is  called  a  “schedule  module”. 

A  schedule  module  H  consists  of  two  components: 

1.  an  action  signature  sig(H),  and 

2.  a  set  scheds(H)  of  schedules. 

Each  schedule  in  scheds(H)  is  a  finite  or  infinite  sequence  of  actions  of  H . 

The  behavior  of  a  schedule  0  of  H  is  the  subsequence  of  0  consisting  of  external  actions,  and 
is  denoted  by  beh(0).  We  say  that  0  is  a  behavior  of  H  if  0  is  the  behavior  of  an  execution  of 
H.  We  denote  the  set  of  behaviors  of  H  by  behs(H).  We  extend  the  definitions  of  fair  schedules 
and  fair  behaviors  to  schedule  modules  in  a  trivial  way,  letting  fairscheds(H)  =  scheds(H)  and 
fairbehs(H)  =  behs(H). 

We  use  the  term  module  to  designate  either  an  automaton  or  schedule  module.  If  M  is  a  module, 
we  sometimes  write  acts(M)  as  shorthand  for  acts(sig(M)),  and  likewise  for  in(M),  out(M),  etc. 
If  0  is  any  sequence  of  actions  and  M  is  a  module,  we  write  0\M  for  0\acts(M). 

A. 4  Solving  Problems 

Now  we  are  ready  to  define  our  notion  of  “solving”.  This  notion  is  intended  for  describing  the 
way  in  which  particular  algorithms  (formalized  as  automata)  solve  particular  problems  (formalized 
as  schedule  modules).  Let  A  be  an  automaton  and  H  a  schedule  module  with  the  same  external 
action  signature  as  A.  Then  we  say  that  A  solves  H  if  fairbehs(A)  C  behs(H). 

A. 5  Composition 

The  most  useful  way  of  combining  I/O  automata  is  by  means  of  a  composition  operator,  as  defined 
in  this  subsection.  This  models  the  way  algorithms  interact,  as  for  example  when  the  pieces  of  a 
communication  protocol  at  different  nodes  and  a  lower-level  protocol  all  work  together  to  provide 
a  higher-level  service. 

A.5.1  Composition  of  Action  Signatures 

Let  /  be  an  index  set  that  is  at  most  countable.  A  collection  {S,}ie/  of  action  signatures  is  said  to 
be  strongly  compatible  if  for  all  *,  j  €  I,  we  have 

1.  out(Si)  H  out(Sj)  =  0, 

2.  int(Si)  fl  acts(Sj)  =  0,  and 

3.  no  action  is  in  acts(Si)  for  infinitely  many  i. 
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Thus,  no  action  is  an  output  of  more  than  one  signature  in  the  collection,  and  internal  actions 
of  any  signature  do  not  appear  in  any  other  signature  in  the  collection. 

The  composition  S  =  n,-e/Sj  of  a  collection  of  strongly  compatible  action  signatures  {5»}«e/  is 
defined  to  be  the  action  signature  with  tn(S)  =  U;g/tn(S;)  \  U,€/ouf(Sj),  out(S)  =  Uj6/out(5,), 
and  int(S)  =  Lhejint(S,).  Thus,  output  actions  are  those  that  are  outputs  of  any  of  the  component 
signatures,  and  similarly  for  internal  actions.  Input  actions  are  any  actions  that  are  inputs  to  any 
of  the  component  signatures,  but  outputs  of  no  component  signature. 

A. 5. 2  Composition  of  Automata 

A  collection  {A;},€/  of  automata  is  said  to  be  strongly  compatible  if  their  action  signatures  axe 
strongly  compatible.  The  composition  A  =  n,€/Aj  of  a  strongly  compatible  collection  of  automata 
Anei  has  the  following  components: 

1.  sig(A)  =  II ieisig(Ai), 

2.  states(A)  =  II j6/sfa£es(A,)7 

3.  start(A)  =  II;€/.sfar£(A,) 

4.  steps(  A)  is  the  set  of  triples  (si,jr,s2)  such  that  for  all  t  €  J,  if  tt  €  acts(A,)  then  (si[t],7r,,s2[z])  c 
steps(Ai),  and  if  x  ^  acts(Ai)  then  Si[t]  =  s2[t]8,  and 

5.  part(A)  =  U,e/par£(A;). 

Since  the  automata  Ai  are  input-enabled,  so  is  their  composition,  and  hence  their  composition  is 
an  automaton.  Each  step  of  the  composition  automaton  consists  of  all  the  automata  that  have 
a  particular  action  in  their  signatures  performing  that  action  concurrently,  while  the  automata 
that  do  not  have  that  action  in  their  signatures  do  nothing.  The  partition  for  the  composition  is 
formed  by  taking  the  union  of  the  partitions  for  the  components.  Thus,  a  fair  execution  of  the 
composition  gives  fair  turns  to  all  of  the  classes  within  all  of  the  component  automata.  In  other 
words,  all  component  automata  in  a  composition  continue  to  act  autonomously.  If  a  =  so^i^i...  is 
an  execution  of  A,  let  a|A,-  be  the  sequence  obtained  by  deleting  VjSj  when  x,-  is  not  an  action  of 
Aj,  and  replacing  the  remaining  3j  by  3j  [tj. 

The  following  basic  results  relate  executions,  schedules  and  behaviors  of  a  composition  to  those 
of  the  automata  being  composed.  The  first  result  says  that  the  projections  of  executions  of  a 
composition  onto  the  components  are  executions  of  the  components,  and  similarly  for  schedules, 
etc.  The  parts  of  this  result  dealing  with  fairness  depend  on  the  fact  that  at  most  one  component 
automaton  can  impose  preconditions  on  each  action. 

Lemma  A. 2  Let  {Aj};e/  be  a  strongly  compatible  collection  of  automata,  and  let  A  =  ITg/A,.  If 
a  €  execs(A)  then  a|At-  6  execs(Ai)  for  all  i  €  I.  Moreover,  the  same  result  holds  for  fairexecs, 
scheds,  fairscheds,  behs  and  fairbehs  in  place  of  execs. 

7  Note  that  the  second  and  third  components  listed  are  just  ordinary  Cartesian  products,  while  the  first  component 
uses  a  previous  definition. 

'We  use  the  notation  s[i]  to  denote  the  i-th  component  of  the  state  vector  s 
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Certain  converses  of  the  preceding  lemma  are  also  true.  The  following  lemma  says  that  execu¬ 
tions  of  component  automata  can  be  patched  together  to  form  an  execution  of  the  composition 

Lemma  A.3  Let  {A,},e/  be  a  strongly  compatible  collection  of  automata,  and  let  A  =  II, g/ A,. 
For  all  i  £  I,  let  a,'  be  an  execution  of  A,-.  Suppose  0  is  a  sequence  of  actions  in  ext(A)  such 
that  0\Ai  =  beh(a{ )  for  every  i.  Then  there  is  an  execution  a  of  A  such  that  0  =  beh(a)  and 
a,  =  a  |  A,-  for  all  i.  Moreover,  if  ot{  is  a  fair  execution  of  A,-  for  all  i,  then  a  may  be  taken  to  be  a 
fair  execution  of  A. 

Similarly,  schedules  or  behaviors  of  component  automata  can  be  patched  together  to  form 
schedules  or  behaviors  of  the  composition. 

Lemma  A.4  Let  {A,},g/  be  a  strongly  compatible  collection  of  automata,  and  let  A  =  II,g/A,-.  Let 
0  be  a  sequence  of  actions  in  acts(A).  If  0\A{  £  scheds(Ai)  for  all  i  £  I,  then  0  £  scheds(A). 
Moreover,  the  same  result  holds  for  fairscheds,  behs  and  fairbehs  in  place  of  scheds. 

A. 6  Hiding  Output  Actions 

We  now  define  an  operator  that  hides  a  designated  set  of  output  actions  in  a  given  automaton  to 
produce  a  new  automaton  in  which  the  given  actions  are  internal.  Namely,  suppose  A  is  an  I/O  au¬ 
tomaton  and  $  C  out(A)  is  any  subset  of  the  output  actions  of  A.  Then  we  define  a  new  automaton, 
hide^(A)  to  be  exactly  the  same  as  A  except  for  its  signature  component.  For  the  signature  compo¬ 
nent,  we  have  tn(hide*(A))  =  in(A),  out{hide<b{A))  =  ouf(A)\$,  and  int(hide<s,{A))  =  mt(A)U$. 
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